ryuk | f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703

Analysis

max time kernel
131s
max time network
140s
platform
windows11_x64
resource
win11
submitted
20-10-2021 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
Size

170KB
MD5

1bd7d1b87c5091a9653fe8005892b784
SHA1

3dcf19b833266a3591fd97c93e5b9bca4ac2c21c
SHA256

f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703
SHA512

4c13373a150b1e3bd12fdd9ad5c379a43e41c59ba5b6dd6982c79599839128bcbde30d7083a810d66604382f4d5aff24c22b504fdaab03f6743a7dc263d85651

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at WayneEvenson@protonmail.com or WayneEvenson@tutanota.com BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

WayneEvenson@protonmail.com

WayneEvenson@tutanota.com

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 3948 created 4212	3948	WerFault.exe	DllHost.exe
PID 3372 created 4020	3372	WerFault.exe	DllHost.exe
PID 5828 created 3648	5828	WerFault.exe	StartMenuExperienceHost.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Drops startup file 1 IoCs

Processes:

sihost.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt sihost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	sihost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@3x.png	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYH.TTC	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG3.TTF	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\th.pak	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Beta.msix.DATA	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\Notifications\SoftLandingAssetLight.gif.DATA	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Trust Protection Lists\Mu\LICENSE	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\ne.pak	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\Trust Protection Lists\Mu\Analytics.DATA	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White@3x.png	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\swiftshader\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\Trust Protection Lists\Sigma\LICENSE.DATA	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.ELM	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\msedge_100_percent.pak.DATA	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\Locales\nl.pak.DATA	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\PersonalMonthlyBudget.xltx	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\Trust Protection Lists\Mu\Entities	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\SONORA.ELM	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_f_col.hxk	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\Locales\mr.pak	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\PREVIEW.GIF	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\tt.pak	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb	sihost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\Locales\qu.pak.DATA	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\Locales\uk.pak	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Notifications\SoftLandingAssetDark.gif	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\mt.pak	sihost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\RyukReadMe.txt	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

5080 4212 WerFault.exe DllHost.exe
4948 4020 WerFault.exe DllHost.exe
6832 3648 WerFault.exe StartMenuExperienceHost.exe

pid	pid_target	process	target process
5080	4212	WerFault.exe	DllHost.exe
4948	4020	WerFault.exe	DllHost.exe
6832	3648	WerFault.exe	StartMenuExperienceHost.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Interacts with shadow copies 2 TTPs 8 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

16132 vssadmin.exe
17188 vssadmin.exe
17608 vssadmin.exe
22308 vssadmin.exe
45996 vssadmin.exe
8844 vssadmin.exe
13800 vssadmin.exe
14456 vssadmin.exe

pid	process
16132	vssadmin.exe
17188	vssadmin.exe
17608	vssadmin.exe
22308	vssadmin.exe
45996	vssadmin.exe
8844	vssadmin.exe
13800	vssadmin.exe
14456	vssadmin.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

sihclient.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe

Modifies registry class 3 IoCs

Processes:

StartMenuExperienceHost.exeRuntimeBroker.exesihost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{6D1AE8BB-DABA-4A89-8A00-370A8046B379}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings	sihost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
4948	WerFault.exe
4948	WerFault.exe
5080	WerFault.exe
5080	WerFault.exe
6832	WerFault.exe
6832	WerFault.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

svchost.exef130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exevssvc.exe

description	pid	process
Token: SeSystemtimePrivilege	4540	svchost.exe
Token: SeSystemtimePrivilege	4540	svchost.exe
Token: SeIncBasePriorityPrivilege	4540	svchost.exe
Token: SeDebugPrivilege	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
Token: SeBackupPrivilege	46028	vssvc.exe
Token: SeRestorePrivilege	46028	vssvc.exe
Token: SeAuditPrivilege	46028	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

sihost.exe

pid process

46056 sihost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

21676 StartMenuExperienceHost.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

sihost.exe

pid process

2060 sihost.exe

pid	process
46056	sihost.exe

pid	process
21676	StartMenuExperienceHost.exe

pid	process
2060	sihost.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.execmd.exeWerFault.exeWerFault.exeWerFault.exesihost.execmd.exe

description	pid	process	target process
PID 1416 wrote to memory of 1952	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe	cmd.exe
PID 1416 wrote to memory of 1952	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe	cmd.exe
PID 1416 wrote to memory of 2060	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe	sihost.exe
PID 1952 wrote to memory of 2472	1952	cmd.exe	reg.exe
PID 1952 wrote to memory of 2472	1952	cmd.exe	reg.exe
PID 1416 wrote to memory of 3052	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe	svchost.exe
PID 1416 wrote to memory of 3360	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe	svchost.exe
PID 1416 wrote to memory of 3636	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe	SearchHost.exe
PID 1416 wrote to memory of 3648	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe	StartMenuExperienceHost.exe
PID 1416 wrote to memory of 3744	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe	RuntimeBroker.exe
PID 1416 wrote to memory of 3880	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe	svchost.exe
PID 1416 wrote to memory of 3900	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe	RuntimeBroker.exe
PID 1416 wrote to memory of 4020	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe	DllHost.exe
PID 1416 wrote to memory of 4212	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe	DllHost.exe
PID 1416 wrote to memory of 4332	1416	f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe	smartscreen.exe
PID 3948 wrote to memory of 4212	3948	WerFault.exe	DllHost.exe
PID 3948 wrote to memory of 4212	3948	WerFault.exe	DllHost.exe
PID 3372 wrote to memory of 4020	3372	WerFault.exe	DllHost.exe
PID 3372 wrote to memory of 4020	3372	WerFault.exe	DllHost.exe
PID 5828 wrote to memory of 3648	5828	WerFault.exe	StartMenuExperienceHost.exe
PID 5828 wrote to memory of 3648	5828	WerFault.exe	StartMenuExperienceHost.exe
PID 2060 wrote to memory of 45940	2060	sihost.exe	cmd.exe
PID 2060 wrote to memory of 45940	2060	sihost.exe	cmd.exe
PID 45940 wrote to memory of 45996	45940	cmd.exe	vssadmin.exe
PID 45940 wrote to memory of 45996	45940	cmd.exe	vssadmin.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3360

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3744

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4020 -s 444
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
PID:4332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4212

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4212 -s 860
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3648 -s 2496
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:6832

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3052

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:45940

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:45996

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:8844

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:13800

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:14456

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:16132

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:17188

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:17608

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:22308

C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /f
3⤵
- Adds Run key to start application
PID:2472

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv BJOrJJFaFUKh1w9S2mfmtA.0
1⤵
PID:4712

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.2
1⤵
- Modifies data under HKEY_USERS
PID:4660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:4604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4892

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 4020 -ip 4020
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 4212 -ip 4212
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 3648 -ip 3648
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:21676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:46028

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:46056

C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
2⤵
PID:3048

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:19360

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:19348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$WinREAgent\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\$WinREAgent\Scratch\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\BOOTSECT.BAK
MD5
99beb85853735c0adce0851c026c33b8

SHA1
643cef3ce3d7f84166b0b64da7985d6da480fc22

SHA256
bc0410068eb6a53949208e70a864073225f102e8cfc2cf7be2e26216f25a7cb8

SHA512
14b155ff672bce0d2be0c52c4652c343395ff7a1e69934b63849ce4c2a9a71550756029c0ede149c0bf1b92ae4fb99e58c70f66616312f477e710feb4f23a269

Download Submit
C:\Boot\BCD
MD5
8332a8bfb06d5c71d4a8818c4c4655ea

SHA1
c766ca2fcbacf318b70f1f1f92484b47a36b2ffb

SHA256
f7a7bb9342b4daefd8a3a38a610d26e042d711e9f15b8cc4c88605aef16a8a69

SHA512
972fd6581695abb62cd5809630ef729e6d6b1eb73389be9217d67c88a05a227fe0c189d404848917d83391e83ad53d3204c812f3efa8e1d7cc45119dceb61db6

Download Submit
C:\Boot\BOOTSTAT.DAT
MD5
d53ce4ab24e5ae0802a2b7148f23ab2f

SHA1
76874b2af16b9291efab66f4f3fc8285e6fdbbea

SHA256
96389eb2b49c00c67cc3445328260f8406d66119b9be6cc6cfe46d9a7190938f

SHA512
564d3c82bde0b9899bf9e2ff44244f07b44e7e6d6c2328e2ea9454577e26205b433a4edb4a7d7c62a7e169b6b08fd0fbfa150edde0f2635471aaea361dec47a9

Download Submit
C:\Boot\Fonts\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\Resources\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\bg-BG\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\cs-CZ\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\da-DK\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\de-DE\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\el-GR\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\en-GB\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\en-US\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\es-ES\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\es-MX\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\et-EE\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\fi-FI\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\fr-CA\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\fr-FR\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\hr-HR\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\hu-HU\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\it-IT\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\ja-JP\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\ko-KR\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\lt-LT\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\lv-LV\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\nb-NO\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\nl-NL\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\pl-PL\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\pt-BR\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\pt-PT\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\qps-ploc\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\qps-plocm\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\ro-RO\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\ru-RU\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\sk-SK\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\sl-SI\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\sv-SE\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\tr-TR\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\uk-UA\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\zh-CN\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Boot\zh-TW\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\DumpStack.log
MD5
39a0050e97d9a1a05100185003ee45ae

SHA1
cc89794d956d30212d20326ee96fbd8731ee678a

SHA256
372eff426aad06266564ddfc001c6cf0c8f848fba26b7114b0f98dcf5cadedc9

SHA512
4c3e677459a76c11ac4e51da8f1587a68278e064a86dd41b7e70e12182827df2e71c3f46595b07dd5f44a47d1a4f17a6435b2b22530a01e41467ccf5d527633d

Download Submit
C:\PerfLogs\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB
MD5
73bc43b04041808db544c342c0e16b91

SHA1
de1c1fffa753bbb5c77a6977c225fa7ab5bbf2b1

SHA256
7f2ef44d7c3584c03d2537fca801a76663204268ed863721fd80f0a07a16deca

SHA512
e9075c2760fdb729d7d1b6ad38d10ab86e22872326c14e1b3788d7cbf01cf7e3550c838081bb152737870918e313f71303cf4a88d1bf9fe35e2b38e366ce64ce

Download Submit
C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\microsoft shared\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_ff33445f-a36e-4a95-8e5f-bca99faf3ebd
MD5
f5977f50354b0ae37c81e26b1742406c

SHA1
33de00e857806dc9ff233132e7d079b1cc325b26

SHA256
9f07fcdb51915bab454927f8888bae38c2de9aa40693274907dac97b42e24663

SHA512
cea131cb2fb7cf4f1d0cd49c87a3aeb6fdc4118ab6eb8244712c9f4459abb2ca22c1492100ddcc9fe1b06c8d78f11479e8459b9b380b2c6c731c034ef77f1bd3

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.log
MD5
66f04df8bc42efab6cafe0c0da12882a

SHA1
cbeea98cba4a89a7d6879f33feead78672323a51

SHA256
dbd05321e75ca680d76e448ac157ca0e2d238134d4cd449940a26e40b5060220

SHA512
445651c951a8d8d3d0337deee880164987209c3b1ed423902edab4c1db5decda1ba826e471c5848414da58b78d20fa5fc07f7a53ee7be294f5f7265c2b34169e

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
MD5
84eeafba7e4ff7be312fb21ea5e11e20

SHA1
8a4449ff0d89dba9ca1977f1647d2bcc034a5b09

SHA256
a9762c50e934a30928712db71f152c9fa2c6d2bc0015cd220bb94c13094c45e4

SHA512
64963cf72d7848ef4fee46e0b2e4e9a08e701ab54cbcd56d8e477c753a505b3a1932d8ff6d5200413df53148551743d0ae078bd945ed348056c9d6b80d6c76c9

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
MD5
bd88e934d79580ac8d4d4b642105f337

SHA1
f1156d2cc405070ecb5cc3d062be811cca2fd65f

SHA256
d596c88037b43d19347776fccce2f0f9bd4b87023957ae1790110b5e6715311a

SHA512
12ae762b0839f34a20b26a98d3d1b2a5e2bdaacd9608cabc141a8717619c524e10b08cfc8323bae68a18e2b314c705df71a1321d4096d1d90447841655e240fc

Download Submit
C:\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
18371c99a486432e92520b8e549f2d71

SHA1
0ff3eb4307d9270fe36797f1122e76b0df144e74

SHA256
a13ac1e2425a6a604d720d151634f6216d70b71ea2bd4eb2da92bf24c9615087

SHA512
dccc6db54c30657700abba9a8e3aab557b47151eeffcefb4c7686f44712f7b8b71746153e3898fe5df158bdec37fbcd4268664fe5b47fa5638d0b5adc2aff28c

Download Submit
C:\odt\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\odt\config.xml
MD5
3eb1c08d93155d982271b1811d6f2b72

SHA1
808d1f2a2d0edf31a76261418c421b069a29ff34

SHA256
62f91443c73505967fcddbc2c7ee716782dc023d60d871e311660a15d929895b

SHA512
2e99a2c4664ebf90f46cae6484606568b41120105342aae3b4fe627f70a85461480e9088b22847d262a955f032a2fec26650dc817b9980e6846080c71e37f9e0

Download Submit
C:\users\Public\window.bat
MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
memory/1952-149-0x0000000000000000-mapping.dmp

Download
memory/2060-150-0x00007FF663140000-0x00007FF6634CE000-memory.dmp

Filesize
3.6MB

Download
memory/2472-151-0x0000000000000000-mapping.dmp

Download
memory/3048-165-0x0000000000000000-mapping.dmp

Download
memory/4604-234-0x0000022B56040000-0x0000022B56041000-memory.dmp

Filesize
4KB

Download
memory/4604-146-0x0000022B53AC0000-0x0000022B53AD0000-memory.dmp

Filesize
64KB

Download
memory/4604-233-0x0000022B56160000-0x0000022B56164000-memory.dmp

Filesize
16KB

Download
memory/4604-232-0x0000022B56160000-0x0000022B56161000-memory.dmp

Filesize
4KB

Download
memory/4604-231-0x0000022B56170000-0x0000022B56174000-memory.dmp

Filesize
16KB

Download
memory/4604-229-0x0000022B563F0000-0x0000022B563F1000-memory.dmp

Filesize
4KB

Download
memory/4604-148-0x0000022B56140000-0x0000022B56144000-memory.dmp

Filesize
16KB

Download
memory/4604-147-0x0000022B53B40000-0x0000022B53B50000-memory.dmp

Filesize
64KB

Download
memory/4604-228-0x0000022B56430000-0x0000022B56434000-memory.dmp

Filesize
16KB

Download
memory/8844-224-0x0000000000000000-mapping.dmp

Download
memory/13800-225-0x0000000000000000-mapping.dmp

Download
memory/14456-226-0x0000000000000000-mapping.dmp

Download
memory/16132-227-0x0000000000000000-mapping.dmp

Download
memory/17188-230-0x0000000000000000-mapping.dmp

Download
memory/17608-235-0x0000000000000000-mapping.dmp

Download
memory/19348-238-0x000001C067360000-0x000001C067362000-memory.dmp

Filesize
8KB

Download
memory/19348-237-0x000001C067360000-0x000001C067362000-memory.dmp

Filesize
8KB

Download
memory/19360-236-0x000002B61AD70000-0x000002B61AD72000-memory.dmp

Filesize
8KB

Download
memory/21676-156-0x00000218FF5E0000-0x00000218FF5E2000-memory.dmp

Filesize
8KB

Download
memory/21676-164-0x00000218FF5E0000-0x00000218FF5E2000-memory.dmp

Filesize
8KB

Download
memory/21676-163-0x00000218FF5E0000-0x00000218FF5E2000-memory.dmp

Filesize
8KB

Download
memory/21676-157-0x00000218FF5E0000-0x00000218FF5E2000-memory.dmp

Filesize
8KB

Download
memory/21676-155-0x00000218FF5E0000-0x00000218FF5E2000-memory.dmp

Filesize
8KB

Download
memory/45940-159-0x0000000000000000-mapping.dmp

Download
memory/45996-161-0x0000000000000000-mapping.dmp

Download